CORD-1007 Generate certs and keys on the corddev VM
Change-Id: I18e9662f3efc7bf249ed319b1f7f7086f9424270
diff --git a/deploy-openstack-playbook.yml b/deploy-openstack-playbook.yml
index 4c40c56..fa44a2d 100644
--- a/deploy-openstack-playbook.yml
+++ b/deploy-openstack-playbook.yml
@@ -17,19 +17,6 @@
- { role: head-prep, become: yes }
- create-lxd
-- name: Create SSL root/intermediate CAs and server certificates
- connection: local
- hosts: localhost
- roles:
- - pki-root-ca
- - pki-intermediate-ca
- - pki-cert
-
-- name: Install CA certificates
- hosts: head
- roles:
- - pki-install
-
- name: Start OpenStack install
hosts: head
roles:
@@ -42,4 +29,3 @@
hosts: head
roles:
- juju-finish
-
diff --git a/deploy-xos-playbook.yml b/deploy-xos-playbook.yml
index 965b2e9..df4a125 100644
--- a/deploy-xos-playbook.yml
+++ b/deploy-xos-playbook.yml
@@ -13,8 +13,20 @@
# for docker, docker-compose
- include: devel-tools-playbook.yml
-# for generating SSL certs
-- include: pki-setup-playbook.yml
+# setup PKI when needed for development
+- name: Create Root CA, Intermediate CA, Server certs
+ hosts: localhost
+ connection: local
+ roles:
+ - { role: pki-root-ca, when: needs_pki_install is defined and needs_pki_install }
+ - { role: pki-intermediate-ca, when: needs_pki_install is defined and needs_pki_install }
+ - { role: pki-cert, when: needs_pki_install is defined and needs_pki_install }
+
+# install PKI when needed for development
+- name: Install CA certificates
+ hosts: head
+ roles:
+ - { role: pki-install, when: needs_pki_install is defined and needs_pki_install }
- name: Create CORD profile, create docker images, bootstrap XOS in docker
hosts: head
@@ -39,4 +51,3 @@
roles:
- xos-ready
- xos-config
-
diff --git a/pki-install-playbook.yml b/pki-install-playbook.yml
new file mode 100644
index 0000000..bdf4e1b
--- /dev/null
+++ b/pki-install-playbook.yml
@@ -0,0 +1,19 @@
+---
+# pki-install-playbook.yml
+
+- name: Include vars
+ hosts: all
+ tasks:
+ - name: Include variables
+ include_vars: "{{ item }}"
+ with_items:
+ - "profile_manifests/{{ cord_profile }}.yml"
+ - profile_manifests/local_vars.yml
+
+# for generating SSL certs
+- include: pki-setup-playbook.yml
+
+- name: Install CA certificates
+ hosts: head
+ roles:
+ - pki-install
diff --git a/profile_manifests/api-test.yml b/profile_manifests/api-test.yml
index cba05fe..2e19f43 100644
--- a/profile_manifests/api-test.yml
+++ b/profile_manifests/api-test.yml
@@ -7,6 +7,7 @@
frontend_only: True
use_openstack: False
use_vtn: False
+needs_pki_install: True
build_xos_base_image: True
build_xos_test_image: True
@@ -60,4 +61,3 @@
subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=xos-core.{{ site_suffix }}"
altnames:
- "DNS:xos-core.{{ site_suffix }}"
-
diff --git a/profile_manifests/frontend.yml b/profile_manifests/frontend.yml
index 3afea33..0ba5244 100644
--- a/profile_manifests/frontend.yml
+++ b/profile_manifests/frontend.yml
@@ -7,6 +7,7 @@
frontend_only: True
use_openstack: False
use_vtn: False
+needs_pki_install: True
build_xos_base_image: True
@@ -27,4 +28,3 @@
subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=xos-core.{{ site_suffix }}"
altnames:
- "DNS:xos-core.{{ site_suffix }}"
-
diff --git a/profile_manifests/mock-ecord-global.yml b/profile_manifests/mock-ecord-global.yml
index 81aaad8..2357329 100644
--- a/profile_manifests/mock-ecord-global.yml
+++ b/profile_manifests/mock-ecord-global.yml
@@ -13,6 +13,7 @@
frontend_only: False
use_openstack: False
use_vtn: False
+needs_pki_install: True
build_xos_base_image: True
@@ -55,4 +56,3 @@
subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=xos-core.{{ site_suffix }}"
altnames:
- "DNS:xos-core.{{ site_suffix }}"
-
diff --git a/profile_manifests/mock-ecord.yml b/profile_manifests/mock-ecord.yml
index 995ecd2..69bd8c5 100644
--- a/profile_manifests/mock-ecord.yml
+++ b/profile_manifests/mock-ecord.yml
@@ -13,6 +13,7 @@
frontend_only: False
use_openstack: False
use_vtn: False
+needs_pki_install: True
build_xos_base_image: True
@@ -66,4 +67,3 @@
subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=xos-core.{{ site_suffix }}"
altnames:
- "DNS:xos-core.{{ site_suffix }}"
-
diff --git a/profile_manifests/mock-mcord.yml b/profile_manifests/mock-mcord.yml
index b33b9ea..5a9f876 100644
--- a/profile_manifests/mock-mcord.yml
+++ b/profile_manifests/mock-mcord.yml
@@ -13,6 +13,7 @@
frontend_only: True
use_openstack: False
use_vtn: False
+needs_pki_install: True
build_xos_base_image: True
@@ -53,4 +54,3 @@
subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=xos-core.{{ site_suffix }}"
altnames:
- "DNS:xos-core.{{ site_suffix }}"
-
diff --git a/profile_manifests/mock-rcord.yml b/profile_manifests/mock-rcord.yml
index 9f7d7b4..66f0927 100644
--- a/profile_manifests/mock-rcord.yml
+++ b/profile_manifests/mock-rcord.yml
@@ -13,6 +13,7 @@
frontend_only: True
use_openstack: False
use_vtn: True
+needs_pki_install: True
build_xos_base_image: True
@@ -86,4 +87,3 @@
subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=xos-core.{{ site_suffix }}"
altnames:
- "DNS:xos-core.{{ site_suffix }}"
-
diff --git a/roles/cord-profile/tasks/main.yml b/roles/cord-profile/tasks/main.yml
index de66651..2ce0269 100644
--- a/roles/cord-profile/tasks/main.yml
+++ b/roles/cord-profile/tasks/main.yml
@@ -35,17 +35,6 @@
mode: 0600
with_items: "{{ xos_service_sshkeys }}"
-- name: Copy over core api key
- copy:
- src: "{{ playbook_dir }}/pki/intermediate_ca/private/xos-core.{{ site_suffix }}_key.pem"
- dest: "{{ cord_profile_dir }}/core_api_key.pem"
- mode: 0600
-
-- name: Copy over core api cert
- copy:
- src: "{{ playbook_dir }}/pki/intermediate_ca/certs/xos-core.{{ site_suffix }}_cert_chain.pem"
- dest: "{{ cord_profile_dir }}/core_api_cert.pem"
-
- name: Make Image directory ( outside of profile directory to avoid repeat downloads on sequential runs)
become: yes
file:
@@ -122,4 +111,3 @@
src: "{{ ansible_user_dir }}/node_key"
dest: "{{ cord_profile_dir }}/node_key"
mode: 0600
-
diff --git a/roles/create-lxd/tasks/main.yml b/roles/create-lxd/tasks/main.yml
index 3e081a2..a86fe66 100644
--- a/roles/create-lxd/tasks/main.yml
+++ b/roles/create-lxd/tasks/main.yml
@@ -44,6 +44,10 @@
nictype: bridged
parent: mgmtbr
type: nic
+ certs:
+ type: disk
+ path: /usr/local/share/ca-certificates/cord/
+ source: /usr/local/share/ca-certificates/
- name: Create containers for the OpenStack services
become: yes
@@ -124,6 +128,11 @@
tags:
- skip_ansible_lint # running a sub job
+- name: Update CA certificates in containers
+ command: ansible containers -m shell -b -u ubuntu -a "update-ca-certificates"
+ tags:
+ - skip_ansible_lint # running a sub job
+
- name: Create containers' eth0 interface config file for DNS config via resolvconf program
when: not on_maas
template:
diff --git a/roles/juju-setup/defaults/main.yml b/roles/juju-setup/defaults/main.yml
index 74d7eee..840f49d 100644
--- a/roles/juju-setup/defaults/main.yml
+++ b/roles/juju-setup/defaults/main.yml
@@ -9,3 +9,4 @@
juju_config_path: /usr/local/src/juju_config.yml
charm_versions: {}
+pki_dir: "/opt/pki"
diff --git a/roles/juju-setup/templates/cord_juju_config.yml.j2 b/roles/juju-setup/templates/cord_juju_config.yml.j2
index 0b07590..e640289 100644
--- a/roles/juju-setup/templates/cord_juju_config.yml.j2
+++ b/roles/juju-setup/templates/cord_juju_config.yml.j2
@@ -16,9 +16,9 @@
ha-mcastport: 5403
openstack-origin: "cloud:trusty-kilo"
use-https: "yes"
- ssl_key: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/private/keystone.{{ site_suffix }}_key.pem') | b64encode }}
- ssl_cert: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/certs/keystone.{{ site_suffix }}_cert.pem') | b64encode }}
- ssl_ca: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/certs/im_cert_chain.pem') | b64encode }}
+ ssl_key: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_key.pem') | b64encode }}
+ ssl_cert: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_cert.pem') | b64encode }}
+ ssl_ca: {{ lookup('file', '{{ pki_dir }}/im_cert_chain.pem') | b64encode }}
mongodb: {}
@@ -58,4 +58,3 @@
rabbitmq-server:
ssl: "on"
-
diff --git a/roles/juju-setup/templates/opencloud_juju_config.yml.j2 b/roles/juju-setup/templates/opencloud_juju_config.yml.j2
index 4379a9f..b0d3e88 100644
--- a/roles/juju-setup/templates/opencloud_juju_config.yml.j2
+++ b/roles/juju-setup/templates/opencloud_juju_config.yml.j2
@@ -13,9 +13,9 @@
os-public-hostname: "keystone.{{ site_suffix }}"
use-https: "yes"
openstack-origin: "cloud:trusty-kilo"
- ssl_key: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/private/keystone.{{ site_suffix }}_key.pem') | b64encode }}
- ssl_cert: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/certs/keystone.{{ site_suffix }}_cert_chain.pem') | b64encode }}
- ssl_ca: {{ lookup('file', '{{ playbook_dir }}/pki/intermediate_ca/certs/im_cert_chain.pem') | b64encode }}
+ ssl_key: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_key.pem') | b64encode }}
+ ssl_cert: {{ lookup('file', '{{ pki_dir }}/keystone.{{ site_suffix }}_cert_chain.pem') | b64encode }}
+ ssl_ca: {{ lookup('file', '{{ pki_dir }}/im_cert_chain.pem') | b64encode }}
mongodb: {}
@@ -57,4 +57,3 @@
rabbitmq-server:
ssl: "on"
-
diff --git a/roles/onos-cord-install/tasks/main.yml b/roles/onos-cord-install/tasks/main.yml
index 16991ff..441dc07 100644
--- a/roles/onos-cord-install/tasks/main.yml
+++ b/roles/onos-cord-install/tasks/main.yml
@@ -56,4 +56,3 @@
command: chdir="{{ onos_cord_dest }}" docker-compose up -d
tags:
- skip_ansible_lint
-
diff --git a/roles/pki-install/defaults/main.yml b/roles/pki-install/defaults/main.yml
new file mode 100644
index 0000000..86c15ae
--- /dev/null
+++ b/roles/pki-install/defaults/main.yml
@@ -0,0 +1,4 @@
+# pki-install/defaults/main.yml
+
+pki_dir: "/opt/pki"
+use_openstack: True
diff --git a/roles/pki-install/handlers/main.yml b/roles/pki-install/handlers/main.yml
index 409ab0f..70b0e2c 100644
--- a/roles/pki-install/handlers/main.yml
+++ b/roles/pki-install/handlers/main.yml
@@ -4,13 +4,3 @@
- name: Run update-ca-certificates on head node
become: yes
command: update-ca-certificates
-
-- name: Copy root CA cert to all service VMs
- command: ansible services -b -u ubuntu -m copy -a "src=/usr/local/share/ca-certificates/cord_root_ca.crt dest=/usr/local/share/ca-certificates/cord_root_ca.crt owner=root group=root mode=0644"
-
-- name: Copy intermediate CA cert to all service VMs
- command: ansible services -b -u ubuntu -m copy -a "src=/usr/local/share/ca-certificates/cord_intermediate_ca.crt dest=/usr/local/share/ca-certificates/cord_intermediate_ca.crt owner=root group=root mode=0644"
-
-- name: update-ca-certificates in service VMs
- command: ansible services -b -u ubuntu -m command -a "update-ca-certificates"
-
diff --git a/roles/pki-install/tasks/main.yml b/roles/pki-install/tasks/main.yml
index 136b8c7..72cd0f8 100644
--- a/roles/pki-install/tasks/main.yml
+++ b/roles/pki-install/tasks/main.yml
@@ -4,7 +4,7 @@
- name: Copy CA certificates to head node
become: yes
copy:
- src: "{{ playbook_dir }}/pki/{{ item.src }}"
+ src: "{{ pki_dir }}/{{ item.src }}"
dest: "/usr/local/share/ca-certificates/{{ item.dest }}"
with_items:
- src: "root_ca/certs/ca_cert.pem"
@@ -13,6 +13,30 @@
dest: "cord_intermediate_ca.crt"
notify:
- Run update-ca-certificates on head node
- - Copy root CA cert to all service VMs
- - Copy intermediate CA cert to all service VMs
- - update-ca-certificates in service VMs
+
+- name: Ensure PKI directory
+ become: yes
+ file:
+ path: "{{ pki_dir }}"
+ state: directory
+
+- name: Copy certs needed by XOS
+ become: yes
+ copy:
+ src: "{{ pki_dir }}/{{ item.src }}"
+ dest: "{{ pki_dir }}/{{ item.dest }}"
+ with_items:
+ - src: "intermediate_ca/certs/im_cert_chain.pem"
+ dest: "im_cert_chain.pem"
+
+- name: Copy certs needed by OpenStack
+ become: yes
+ when: use_openstack
+ copy:
+ src: "{{ pki_dir }}/{{ item.src }}"
+ dest: "{{ pki_dir }}/{{ item.dest }}"
+ with_items:
+ - src: "intermediate_ca/private/keystone.{{ site_suffix }}_key.pem"
+ dest: "keystone.{{ site_suffix }}_key.pem"
+ - src: "intermediate_ca/certs/keystone.{{ site_suffix }}_cert.pem"
+ dest: "keystone.{{ site_suffix }}_cert.pem"
diff --git a/roles/pki-intermediate-ca/defaults/main.yml b/roles/pki-intermediate-ca/defaults/main.yml
index 24801d3..feecca8 100644
--- a/roles/pki-intermediate-ca/defaults/main.yml
+++ b/roles/pki-intermediate-ca/defaults/main.yml
@@ -1,7 +1,8 @@
---
# pki-intermediate-ca/defaults/main.yml
-pki_dir: "{{ playbook_dir }}/pki"
+pki_dir: "/opt/pki"
+credentials_dir: "/opt/credentials"
# crypto parameters
ca_digest: "sha256"
@@ -9,8 +10,7 @@
ca_im_days: 730
# passphrases for the certificate
-ca_im_phrase: "{{ lookup('password', 'credentials/ca_im_phrase length=64') }}"
+ca_im_phrase: "{{ lookup('password', credentials_dir+'/ca_im_phrase length=64') }}"
# noninteractive csr subject
ca_im_subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=CORD Test Deployment Intermediate CA"
-
diff --git a/roles/pki-intermediate-ca/tasks/main.yml b/roles/pki-intermediate-ca/tasks/main.yml
index ac066ac..fe8aeea 100644
--- a/roles/pki-intermediate-ca/tasks/main.yml
+++ b/roles/pki-intermediate-ca/tasks/main.yml
@@ -1,6 +1,14 @@
---
# pki-ca/tasks/main.yml
+- name: Create PKI directory
+ become: yes
+ file:
+ dest: "{{ pki_dir }}"
+ state: directory
+ owner: "{{ ansible_user_id }}"
+ mode: 0755
+
- name: Create intermediate CA directory
become: yes
file:
@@ -117,4 +125,3 @@
copy:
dest: "{{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem"
content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}"
-
diff --git a/roles/pki-root-ca/defaults/main.yml b/roles/pki-root-ca/defaults/main.yml
index 326eb36..8f6888c 100644
--- a/roles/pki-root-ca/defaults/main.yml
+++ b/roles/pki-root-ca/defaults/main.yml
@@ -1,8 +1,8 @@
---
# pki-root-ca/defaults/main.yml
-pki_dir: "{{ playbook_dir }}/pki"
-credentials_dir: "{{ playbook_dir }}/credentials"
+pki_dir: "/opt/pki"
+credentials_dir: "/opt/credentials"
# ca parameters
ca_digest: "sha256"
@@ -10,7 +10,7 @@
ca_root_days: 3650
# passphrases for the key
-ca_root_phrase: "{{ lookup('password', 'credentials/ca_root_phrase length=64') }}"
+ca_root_phrase: "{{ lookup('password', credentials_dir+'/ca_root_phrase length=64') }}"
# noninteractive csr subject
ca_root_subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=CORD Test Deployment Root CA"
diff --git a/roles/pki-root-ca/tasks/main.yml b/roles/pki-root-ca/tasks/main.yml
index 6da6e9b..8c2f34d 100644
--- a/roles/pki-root-ca/tasks/main.yml
+++ b/roles/pki-root-ca/tasks/main.yml
@@ -1,7 +1,7 @@
---
# pki-root-ca/tasks/main.yml
-- name: Make sure credentials directory has proper ownership
+- name: Create credentials directory
become: yes
file:
dest: "{{ credentials_dir }}"
@@ -9,6 +9,14 @@
owner: "{{ ansible_user_id }}"
mode: 0700
+- name: Create PKI directory
+ become: yes
+ file:
+ dest: "{{ pki_dir }}"
+ state: directory
+ owner: "{{ ansible_user_id }}"
+ mode: 0755
+
- name: Create root CA directory
become: yes
file:
@@ -88,4 +96,3 @@
-out {{ pki_dir }}/root_ca/certs/ca_cert.pem
args:
creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
-
diff --git a/roles/xos-docker-images/defaults/main.yml b/roles/xos-docker-images/defaults/main.yml
index 22943b2..bb96fea 100644
--- a/roles/xos-docker-images/defaults/main.yml
+++ b/roles/xos-docker-images/defaults/main.yml
@@ -1,6 +1,7 @@
---
# xos-docker-images/defaults/main.yml
+pki_dir: "/opt/pki"
cord_dir: "{{ ansible_user_dir + '/cord' }}"
build_xos_base_image: False
@@ -11,4 +12,3 @@
push_xos_base_image: False
push_xos_image: False
-
diff --git a/roles/xos-docker-images/tasks/main.yml b/roles/xos-docker-images/tasks/main.yml
index ed9670f..421fb6f 100644
--- a/roles/xos-docker-images/tasks/main.yml
+++ b/roles/xos-docker-images/tasks/main.yml
@@ -21,9 +21,10 @@
tags:
- skip_ansible_lint # idempotent git metadata retrieval, git module can't do this
+# Should mount certs in the image rather than baking them in
- name: Copy over SSL CA certificates
copy:
- src: "{{ playbook_dir }}/pki/intermediate_ca/certs/im_cert_chain.pem"
+ src: "{{ pki_dir }}/im_cert_chain.pem"
dest: "{{ cord_dir }}/orchestration/xos/containers/xos/local_certs.crt"
mode: 0644
@@ -44,9 +45,9 @@
pull: False # use the locally built copy of xosproject/xos
- name: Clean up chameleon temp directory
- shell: rm -rf {{ cord_dir }}/orchestration/xos/containers/chameleon/tmp.chameleon
- tags:
- - skip_ansible_lint # docker can't access files outside of build context, so we must copy
+ file:
+ path: "{{ cord_dir }}/orchestration/xos/containers/chameleon/tmp.chameleon"
+ state: absent
- name: Populate chameleon temp directory
shell: cp -a "{{ cord_dir }}/component/chameleon" "{{ cord_dir }}/orchestration/xos/containers/chameleon/tmp.chameleon"
@@ -87,4 +88,3 @@
name: "{{ deploy_docker_registry }}/xosproject/xos"
tag: "{{ deploy_docker_tag }}"
push: True
-